I'm aware of the following site-to-site VPN limitation: Note: Non-Meraki VPN peers are organization-wide, so peers will be configured for all such MX devices in an organization. If you want multiple MX's to connect to the same 3rd party VPN peer they will all have thesame shared secret.
The security policy of the multi-site deployment I'm currently working on requires different preshared secrets for all branch sites, which is obviously a problem. Does anyone know if this is on a roadmap for future enhancement?
If it often easier to get an extra MX and have it put into the terminating agency. They can plug the LAN side of the MX into their firewall and still retain control of the data flows. You can then use simple AutoVPN.
Only just saw this comment, looking for something else... You know null encryption is now supported for third party VPN tunnels? under Security & SD-WAN > Site-to-site VPN > Organization-wide settings > Non-Meraki VPN peers. Then select IPsec policies > Phase 2 > NULL.